Description

DPM-gridftp-server Incorrect credentials propagation -- High Priority

Operational Security Coordination Team Advisory
-- Date: 2007-07-02
-- Background
The Disk Pool Manager (DPM) has been developed as a lightweight
solution for disk storage management. The DPM offers a modified
version of the Globus gridftp daemon for data access, among many
other protocols.
-- Affected Software
LCG <= 2.7.x, gLite <= 3.0.x.
gLite 3.1.x is not affected.
-- Affected Components
All versions of the DPM-gridftp-server package are affected.
DPM servers running with VDT 1.6 or later are not affected, because
they are using a different gridftp implementation from Globus Toolkit 4,
interfaced to DPM via a plug-in interface. This comes with the package
'DPM-DSI', instead of the above mentioned 'DPM-gridftp-server'.
For gLite 3.x the affected meta-package are:
glite-SE_dpm_disk
glite-SE_dpm_mysql
glite-SE_dpm_oracle
Sites running LCG 2.x are asked to upgrade their DPM-gridftp-server to gLite.
-- Vulnerability Details
The DPM gridftp server is handling the credentials of authenticated users
to manage permissions on the files. Unfortunately, it appears that under
some circumstances, the credentials are not correctly propagated.
As a result, it is possible for a malicious user who successfully
authenticated against the DPM gridftp service to manipulate any file
accessible by the service, including reading, writing, deleting and
changing the permissions of the affected files and directories.
-- Further documentation
This advisory is also available at the following URL:
http://cern.ch/grid-deployment/glite-web/egee/packages/R3.0/updates.asp
-- Installation Notes
The following rpms have been made available;
DPM-gridftp-server-1.6.5-3sec.i386.rpm
It is possible to upgrade the 'DPM-gridftp-server' component only
(without upgrading the rest of the DPM components) from any version
including 1.6.0 to 1.6.5-2.
If the upgrade is not feasible, then we recommend stopping the DPM
gridftp service and contacting the developers for the possibility
of a custom upgrade path:
/sbin/service dpm-gsiftp stop
/sbin/chkconfig --del dpm-gsiftp
They are available in the appropriate repositories for each distribution.
http://cern.ch/grid-deployment/glite-web/egee/packages/R3.0/updates.asp
-- Credit
This vulnerability has been discovered by Kostas Georgiou.
-- Disclosure Timeline
2007-06-19 Vulnerability reported to the LFC/DPM developers
2007-06-19 Initial response from the LFC/DPM developers
2007-06-26 Updated packages ready for certification and testing
2007-07-02 OSCT notified of the vulnerability
2007-07-02 Updated packages certified
2007-07-02 Release preparation completed
2007-07-02 Updated LCG and gLite packages available
2007-07-02 Public disclosure
2007-07-02 Site Admins and LCG Security Contacts notified
-- References
The details of the vulnerability and the update can be found here:
http://cern.ch/grid-deployment/glite-web/egee/packages/R3.0/updates.asp
For more detailed information including fixed bugs, updated RPMs,
configuration changes and how to deploy, please go to the 'Details'
link next to each service on the 'Updates' web page.
All issues found with this update should be reported using GGUS:
www.ggus.org.